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Introduction to Information Security 
Management 


Course Mission 


% Educational Value 
e Both theoretical and practical 
e Up-to-date 


e Relevant 
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% Certified Information Security Manager 
e Designed for personnel that have (or want to 
have) responsibility for managing an 
Information Security program 


e Tough but very good quality examination 


e Requires understanding of the concepts 
behind a security program - not just the 
definitions 


CISM Exam Review Course Overview 


% The CISM Exam is based on the CISM job 
practice. 

e The ISACA CISM Certification Committee 
oversees the development of the exam 
and ensures the currency of its content. 

% There are four content areas that the 
CISM candidate is expected to know. 
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Job Practice Areas 


® Information Security | 
Governance 


8 information Risk 
Management 


© Information Security 
Program Development 
and Management 


® Information Security 
Incident Management 
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Domain Structure 


Information Security Governance 
mandates 


Information Risk Management 
drives 


Information Security Program 
Development and Management . 
equires 
Information Security Incident 


influences 


informs 


ax 


meet Relationship between domains Poy 
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CISM Qualifications 
% To earn the CISM designation, information security 
professionals are required to: 
Successfully pass the CISM exam 
Adhere to the ISACA Code of Professional Ethics 


Agree to comply with the CISM continuing education 
policy 


Submit verified evidence of five (5) years of work 
experience in the field of information security. 


e Waivers are permitted for certifications 


The Examination 
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Description of the Exam 


The exam consists of 150 multiple choice questions 
that cover the CISM job practice areas. 


Four hours are allotted for completing the exam 


See the Job Practice Areas including task Statements 
and Knowledge Statements listed on the ISACA 
website 


Examination Day 


% Beon time!! 
% Nothing may be brought into the exam room 
e Breaks are permitted - but the clock does not stop 


% All questions are multiple choice with four possible 
responses. 


e Only choose the ONE BEST answer 


% Preliminary pass/fail results provided at completion 
of the exam 


e Detailed score provided via email in ten days 
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Completing the Examination Items 


e Read each question carefully 

e Read ALL answers prior to selecting the BEST answer 
e Mark the appropriate answer 

e Do not skip any questions 


e There is no penalty for guessing. Answer every 
question. 


Grading the Exam 


%4% Candidate scores are reported as a scaled score 
based on the conversion of a candidate’s raw score 
on an exam to a common scale. 


ISACA uses and reports scores on a common scale 
from 200 to 800. A candidate must receive a score 
of 450 or higher to pass. 


% Good Luck! 
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End of Introduction 


% Welcome to the CISM course!! 


2017 CISM® Review Course 


Chapter 1 
Information Security Governance 
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Information Security Governance 


4% Develop information security governance 
aligned with organisational objectives 


e Establish and/or maintain an information 
security governance framework and 
supporting processes to ensure that the 
information security strategy is aligned with 
organisational goals and objectives 


Learning Objectives 


Understand the purpose of an information 
security governance, what it consists of and 
how to accomplish it 


Understand the purpose of an information 
security strategy, its objectives, and the 
reasons and steps required to develop one 


Understand the meaning, content, creation 
and use of policies, standards, procedures 
and guidelines and how they relate to one 
another 
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Learning Objectives (continued) 


4+ Develop business cases and gain commitment 
from senior leadership 


4% Define governance metrics requirements, 
selection and creation 


Introduction 


% To effectively address the ever-growing 
challenges of providing adequate protection 
for information assets, an information 
security strategy is essential. 


e Documents the direction and goals for the 
security program 


e Provides the basis for governance 
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Governance 


% Governance: 


e The rules that run the organisation including 
policies, standards and procedures 


e Sets direction and control for the organisation’s 
activities 


Steps in Establishing Governance 


% Senior management deciding on desired 
outcomes 


e Based on acceptable risk 


% Develop a security strategy based on those 
objectives 


e Move from current to desired state 


% Create a roadmap to reach the objectives 
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Security Policies 


Designed to mitigate risk 


Usually developed in response to an actual or 
perceived threat 


State management’s intent and direction at a 
high level 


Policies support strategic objectives 


Standards 


Are developed or modified to set boundaries 
for people, processes, procedures and 
technologies 


To maintain compliance with policies and 
support the achievement of the 
organisation’s goals and objectives. 


Collectively, standards are combined with 
other controls (i.e., technical, physical, 
administrative) to create the security 
baselines. 
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Business Case 
4% Used to capture the business reasoning for 
initiating a project or task 
e Should identify needs and business purpose 


e Should include all factors that could affect 
project success or failure 


e Total Cost of Ownership (TCO) should 
address costs across the lifecycle of the 
project 


Living Document 


% Strategy is never static as businesses evolve 
e Internal changes 
e External changes 


% Objectives, approaches and methods may 
change to meet new conditions 
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Information Security Strategy Success 


4 Senior management support is essential 
e Funding 
e Staffing 
e Compliance 
4% Support gained by: 
e Educating senior management 


e Develop persuasive business cases 


Effective Security 


Everyone must have responsibility for security 
and risk management 


Everyone must be aware of security policies 
and procedures 


Information Security must be measured and 
monitored 


e Establish management accountability 
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Information Security Governance 


4% Information is data with meaning and purpose 


% Information is indispensable to conduct business 


effectively today 
% Information must be: 
e Available 
e Have Integrity of data and process 


e Be kept confidential as needed 


4% Protection of information is a responsibility of the 


Board of Directors 


Information Security 


Information Protection includes: 
e Accountability 
e Oversight 
e Prioritisation 
e Risk Management 


e Compliance (Regulations and Legislation) 
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Outcomes of Information Security Governance 


4% Develop, implement and manage a program: 
e Strategic alignment 
e Risk management 
Value delivery 
Resource optimisation 
Performance measurement 


Assurance process integration 


Strategy linked to business 
Policies based on strategy 
Standards based on policy 


Organisational structure with adequate 
resources and authority 


Defined workflows and structures that 
establish responsibilities and accountability 


Metrics and monitoring processes to ensure 
compliance and report on control 
effectiveness 
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Security Program Priorities 


4 Achieve high standards of corporate 
governance 


4 Treat information security as a critical 
business issue 


¥ Create a security positive environment 
4 Have declared responsibilities 


Determining Risk Capacity 


Risk capacity is the objective amount of loss 
an enterprise can tolerate without its 
continued existence being called into 
question 


Risk appetite is defined as the amount of risk 
senior management is will to accept in the 
pursuit of its mission 


Risk acceptance is a formal process but must 
not exceed the risk capacity 
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Scope and Charter of Information 
Security Governance 


4% Protect information in any medium 
e Written 
e Spoken 
e Electronic 
e Whether it is being: 


Created, viewed, transported, stored or 
destroyed 


Information Technology vs Information 
Security 


IT has a focus on technology and the 
boundaries of technology 


Information security protects information at 
all times and locations - not just technology 


% IT is not usually the owner of the data 


e IT have care of or custody of the data and 
act as custodians for the data owner 
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GRC - Governance, Risk Management 
and Compliance 


Governance - the responsibility of senior 
management and the board of directors 


Risk management - the process by which an 
organisation manages risk to an acceptable 
level 


Compliance - ensures that policies and 
standards are adequately adhered to 


Business Model for Information Security 


4% A system must be viewed holistically - not 
merely as a sum of its parts 


4 Examine how complex systems work 
e Network of: 
eEvents 
eRelationships 
eReactions 
e Consequences 
e Technologies 
«People 
e Processes 
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BMIS (continued) 


% Elements of the BMIS model: 
e Organisation design and strategy 
e People 
e Process 


e Technology 


Assurance Process Integration - Convergence 


4% Integration of silos that were traditionally 
separate: 


Physical security 
Risk management 
Privacy 
Compliance 


Information security 
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Roles and Responsibilities 


Role - a designation assigned to an individual 
by virtue of a job function or other label 


Responsibility - a description of a procedure 
or function related to the role that someone 
is accountable to perform 


RACI Model - Responsible, Accountable, 
Consulted, Informed 


Skills must be considered when creating RACI 
charts - proficiencies, competencies, specific 
skills 


Culture 


% Culture represents organisational behaviour, 
norms, teamwork, attitude 


% Culture is affected by: 


e Backgrounds, work ethics, values, past 
experiences, individual filters, perceptions 


% Create a positive security culture 
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Governance Roles and Responsibilities 


% Board of Directors/Senior Management 


e Effective security requires senior management 
support and oversight 


e Exercise due care 
% Senior Management 
e Leadership and ongoing support 


e Responsible for ensuring that resources, functions 
and supporting infrastructure are available and 
properly utilised 


Roles and Responsibilities 


% Business Process Owners - Assist in 
development of the security strategy 


% Steering Committee - represent all 
stakeholders 


e Review strategy, specific action and 
progress, emerging risk and compliance 
issues 
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Chief Information Security Officer (CISO) 


4% May also be the CIO, CFO, CEO 


4% Responsibility and authority to make 
decisions 


Ultimately the board of directors and senior 
management is responsible for risk. 


Everyone has a role to play in risk 
management 
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Governance Roles and Responsibilities 
(continued) 


% System Owners 


e Responsible to ensure that adequate protection 
(proper controls) is in place to protect systems and 
the data they process 


e Sign off on changes to their systems 
% = Information Owners 


e Responsible for the protection of data regardless of 
where it resides or is processed 


% IT Security practitioners 


e Responsible for proper implementation of security 
requirements 


Gaining Management Support 


+ Formal presentation - business case 
e From a business perspective 
Align security with the business 
Identify risk and consequences 


Describe audit and reporting procedures 
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Initial Business Case 


4% Derived from feasibility study 
Project scope 
Current analysis 
Requirements 
Approach 
Evaluation 
Formal review 


Business Case and Project Review 


%& The business case answers the question. 
“Why should this project be undertaken?” 


e Business case may be updated as the project 
proceeds 


e Business case may be referred to during the 
project to determine if a project should 
continue or be cancelled 
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Communication Channels 


Track the status of the security program 
Share security awareness and knowledge of risk 
Communicate policies and procedures 


Deliver to all staff at appropriate level of detail 


Governance of Third-Party Relationships 


% As organisations move more towards the use 
of third parties for support (e.g., the Cloud), 
the need to govern and manage these 
relationships is of increasing importance. 


Service providers 
Outsourced operations 
Trading partners 


Merged or acquired organisations 
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Information Security Metrics 


4% A metric is a quantifiable entity that allows 
the measurement of the achievement of a 
process goal. The security program must be 
accountable for its budget, deliverables and 
strategy. 

e Specific Accurate 
Measureable Cost-effective 
Attainable Repeatable 
Relevant Predictive 


Timely Actionable 


Standards for Metrics 


ISO/IEC 27004 

COBIT 5 

Centre for Internet Security (CIS) 
NIST Special Publication 800-55 
Formulas: 


e VAR (Value at Risk) - probable loss in a 
defined period 


e ROSI (Return on Security Investment) 
e ALE (Annual Loss Expectancy) 
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KPIs and KGls 


% Indicate attainment of service goals, 
organisational objectives and milestones. 


4% Key Goal Indicators 
% Key Risk Indicators 


Security Integration 


% Security needs to be integrated INTO the 
business processes 
4% The goal is to reduce security gaps through 
organisational-wide security programs 
% Indicators of alignment: 
Security enables business activities 
Delay to business when risk cannot be 
managed 
Defined security objectives and activities 
mapped to organisational objectives 
Security steering committee 
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Areas to Measure (Metrics) 


Risk Management 

Value Delivery 

Resource Management 

Performance Measurement 
e Incident reporting 


4% Assurance Process Integration 


% Information Security Strategy 


Long term perspective - well defined 
objective 


Standard across the organisation 

Aligned with business strategy / direction 
Understands the culture of the organisation 
Reflects business priorities 

Based on available resources 
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The Desired State of Security 


The “desired state of security” must be 
defined in terms of business and security 
attributes 


e It should be clear to all stakeholders what the 
intended security state is 


Common Pitfalls 


Overconfidence 

Optimism 

Anchoring 

The status quo bias 

Mental accounting 
* The herding instinct 


False consensus 
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Developing a Strategy Prerequisites 


Defining business requirements for 
information security 


Determining the objectives of information 
security that will satisfy the requirements 


Locating and identifying information assets 
and resources 


Valuating information assets and resources 
Classifying information assets as to criticality 
and sensitivity 

Implementing a process to ensure that all 
assets have a defined owner 


Business Linkages 


% Business linkages 


e Start with understanding the specific 
objectives of a particular line of business 


e Take into consideration all information flows 
and processes that are critical to ensuring 
continued operations 


Enable security to be aligned with and 
support business at strategic, tactical and 
operational levels 
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COBIT 5 


4 Framework for governance and management 
of enterprise IT. 


4% Five key principles: 
e Meeting stakeholder needs 
e Covering the enterprise end-to-end 
e Applying a single, integrated framework 


Enabling a holistic approach 


Separating governance from management 


Capability improvement framework 


Level 1 - Initial - processes unpredictable, 
poorly controlled and reactive 

Level 2 - Managed - processes characterised 
for projects and is often reactive 

Level 3 - Defined - processes characterised 
for the organisation and is often proactive 
Level 4 - Quantitatively Managed - processes 
measured and controlled 


Level 5 - Optimising - Focus on process 
improvement 
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Balanced Scorecard (BSC) 


% See next slide for diagram 


4% Enables organisations to clarify their vision 
and strategy and translate them into action 


Balanced Scorecard (BSC) 


Financial 


Customer Information Learning 


A 
I 
Vv 


Process 
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The 1S027001:2013 Framework 


The goal of 1S027001:2013 is to: 

Establish 

Implement 

Maintain, and 

Continually improve 
An information security management system 
% Contains: 


e 14 Clauses, 35 Controls Objectives and 114 
controls 


Risk Management 


% The basis for most security programs is Risk 
Management: 


e Development of controls 
e Acceptable risk 
e Operational cost of risk management 


% The CISM must remember that risk is 
measured according to potential impact on 
the ability of the business to meet its mission 
- not just on the impact on IT. 
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Information Security Strategy Development 


4% Migration from current to desired state 


4 Creation of roadmap - the specific steps to 
implement the strategy 


% Security objective may be met through: 
e Controls or, 


e Reengineering a process to reduce risk 


Resources 


% Resources need to be enumerated and 
considered when developing a security 
program 


Use existing resources to maximise utilisation 
of resources 


Security strategy is based on an optimal mix 
of resources available - policies, standards, 
architectures, etc. 
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Constraints and Considerations for a 
Security Program 


Constraints 
Legal—Laws and regulatory requirements 


Physical—Capacity, space, environmental 
constraints 


Ethics—Appropriate, reasonable and customary 
Culture—Both inside and outside the organisation 
Costs—Time, money 


Personnel—Resistance to change, resentment 
against new constraints 


Constraints and Considerations for a 
Security Program (continued) 
Constraints 


% Organisational structure—How decisions 
are made and by whom, turf protection 


Resources—Capital, technology, people 


Capabilities—Knowledge, training, skills, 
expertise 


Time—Window of opportunity, mandated 
compliance 


Risk appetite—Threats, vulnerabilities, 
impacts 
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Security Program 


4% Starts with theory and concepts 
e Policy 
4% Interpreted through: 
e Procedures 
e Baselines 
e Standards 
e Guidelines 


% Measured through audit 
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Architecture 


“+ Enterprise information security architecture is similar 
physical architecture 


e Requirements definition 

e Design / Modeling 

e Creation of detailed blueprints 
e Development, deployment 


% Architecture is planning and design to meet the needs 
of the stakeholders 


% Security architecture is one of the greatest needs for 
most organisations 
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Using an Information Security 
Framework 


4% Architecture domains (TOGAF) 


e Business architecture 

e Application architecture 
e Data architecture 

e Technical architecture 


¥ Security should be guided by, and tightly 
integrated into the overall enterprise 
architecture 


Controls 


% Controls can be: 
e Physical 
e Technical 
e Procedural 

% IT controls 
Non-IT controls 


e Labeling, handling requirements 
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Controls (continued) 


4% Countermeasures - reduce a vulnerability 
(reduce likelihood or impact of an incident) 


4% Layered Defense - defense in depth 
Preventive 
Containment 
Detective 
Reactive 
Evidence collection and tracking 
Recovery/restoration 


Training and Awareness 


Must be an ongoing training program 
Awareness of policies and standards 
Relevant 

Clear and understandable 


Addressed in more detail in chapter 3 
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Action Plan Metrics 


4% Plan of action 
% Achievement of milestones 
4% Monitor progress on an ongoing basis 


e Allows for timely corrections to address 
issues 


4% Measure CSFs - critical success factors against 
KPIs and KGls 


Technical Security Metrics 


% Technical scans may identify a vulnerability 
but not identify whether a threat exists or 
the relative impact 


Vulnerability scans 
Server configuration compliance 
IDS monitoring results 


Firewall log analysis 
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Technical Security Metrics (continued) 


4% Focus on relevant metrics and analysis 


e What is important to manage security 
operations 


e IT security management requirements 
e The needs of business process owners 
e What senior management wants to know 


% Provide regular communications and 
reporting 


Action Plan Intermediate Goals 


% Have specific near-term goals that align with 
the overall strategy 


4% Long-term state must be defined to maximise 
potential synergies and ensure that short- or 
intermediate-term actions plans are 
ultimately aligned with the end goals 
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Information Security Program Objectives 


% For most organisations, the security objective is met 
when: 

e Information is available and usable when required, 
and the systems that provide it can appropriately 
resist attacks (availability). 

Information is observed by or disclosed to only 
those who have a right to know (confidentiality). 
Information is protected against unauthorised 
modification (integrity). 

Business transactions, as well as information 
exchanges between enterprise locations or with 
partners, can be trusted (authenticity and 
nonrepudiation). 


Security Concepts 


4 Protection from: 
e Insider attacks 
External attacks 
Physical attacks 
Technical attacks 


Non-technical attacks 
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End of Domain One 
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Chapter 2 
Information Risk 
Management 


Exam Relevance 


This chapter reviews the knowledge base that 
the information security manager must 
understand to appropriately apply risk 
management principles and practices to an 
organisation’s information security program. 


Manage information risk to an acceptable 
level based on risk appetite to meet 
organisational goals and objectives 


This domain represents 30 percent of the 
CISM examination (approx. 45 questions) 
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Learning Objectives 


Understand the importance of risk management as a 
tool for meeting business needs and developing a 
security management program to support these 
needs 


Understand ways to identify rank, and respond to risk 
in a way that is appropriate as defined by 
organisational directives 


Assess the appropriateness and effectiveness of 
information security controls 


Reports on information security risk effectively 


Risk Management 
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Definition of Risk 


Rick can be defined as the combination of the 
probability (or likelihood) of an event and its 
consequences 


Risk is present when a threat can exploit a 
vulnerability and cause damage to an asset. 


Exposure (attack surface) represents the 
probability and impact of compromise 


Why is Risk Important? 


Risk management is a fundamental 
function of Information Security 


e Provides rationale and justification for virtually 
all information security activities 


© Firebrand Training Ltd 


Classifying Assets 


The greater the value of an asset, the greater 
the risk. 


Value is based on criticality and sensitivity of 
an asset 


Asset value is essential to developing an 
effective cost-benefit calculation for 
resource utilisation and risk management 
approaches 


Risk Management Steps 


Understand the threat landscape 


Determine the vulnerabilities that make an 
organisation susceptible to compromise 


Determine if risk levels are acceptable 
Assess risk mitigation options 


Review control effectiveness 
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Role of the Information Security Manager 


% Risk is the responsibility of the business units 
4 The security manager serves in the role: 

e Investigatory 

e Monitoring 


e Facilitative 


Risk Management Overview 


Balance between realising opportunities for 
gain and minimising vulnerabilities and loss 


Ensure impact of threats are within 
acceptable limits at an acceptable cost 


% Risk is inherent in all activities 


e Higher risk equates to higher returns 
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Risk Management 


% Founded on risk assessment and an 
understanding of the risk universe 


% Risk management may be centralised or 
decentralised 


e But should be done in a consistent manner 
across the enterprise 


Controls 


% Are designed as part of a risk management 
framework, which incorporates policies, 
standards, procedures, practices and 
organisational structures 
Provide reasonable assurance that business 
objectives are achieved and undesired events 
are: 

Prevented 
Detected 


Addressed 
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Countermeasures 


Any process that serves to counter specific 
threats and can be considered a targeted 
control 


Reducing internal threats 


Reengineering and modifications to 
architecture 


Awareness programs for employees 


Risk Management 


%# Risk Management operates at all levels: 
e Strategic 
e Management 


e Operational 
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Risk Assessment 


4% Three phases: 
e Risk Identification 
e Risk Analysis 


e Risk Evaluation 


Importance of Risk Management 


% Rationale and justification for information 
security activities 
% Influenced by: 
e Culture 
Mission and objectives 
Organisational structure 
Ability to absorb losses 
Products and services 
Management and operational processes 
Physical, environmental, regulatory conditions 
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Outcomes of Risk Management 


%& Reduce the incidence of significant adverse 
impacts on an organisation by addressing 
threats, mitigating exposure, and/or reducing 
vulnerability or impact. 


Predictability that the organisation can 
operate effectively and profitably 


Risk Management Strategy 


% Acceptable level of risk is a management 
decision based on factors such as: 


The ability of the organisation to absorb loss 
Management’s risk appetite 
Costs to achieve acceptable risk levels 


Risk-benefit ratios 
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Risk Communication 


% Risk must be communicated to all 
stakeholders 


4 Focus on common understanding of the 
requirements and objectives of the risk 
management program 


Risk Awareness 


% Powerful tool in shaping ethics and 
influencing behaviours 


Risk should be well understood and known 


Information risk issues are identifiable 


Employees recognise that organisational risk 
can affect them personally 


The enterprise recognises and uses the 
means to manage risk 
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Effective Information Risk Management 


Supported by all members of the organisation 


Clear accountability to ensure proper 
management of risk 


Senior management commitment 


Sound information security practices 


% Initial steps: 
Context and purpose of the program 
Scope and charter 


Authority, structure and reporting 
relationships 


Asset identification, classification and 
ownership 


Risk Management objectives 
The methodology to be used 
The implementation team 
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Risk Appetite and Tolerance 


% Risk appetite is what is considered by 
management as an acceptable level of risk 


% Risk tolerance is the acceptable level of 
deviation from the acceptable risk level 


Risk Concepts 


% There is a long list of concepts on page 135 
that the CISM candidate should be familiar 
with 


% The list of technologies on page 136 will be 
examined in more detail later in the course 
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Implementing Risk Management 


% Identify and coordinate all risk management 
and security activities of the organisation 


% Prevents: 
e Duplication of effort 
e Bypass of controls 


e Minimises gaps in protection and assurance 


Risk Management Process 


Establish scope and boundaries 

Identify information assets and valuation 
Perform risk assessment 

Determine risk treatment or response 
Accept residual risk 


Communicate about and monitor risk 


© Firebrand Training Ltd 


13 


Risk Response 


4% Terminate the risk (avoid) 
%& Reduce the risk (mitigate) 
% Transfer the risk (share) 


% Retain the risk (accept) 


Defining a Risk Management Framework 


% Reference models should be used and 
adapted for the organisation 


e COBIT 5 
ISO 31000 
IEC 31010 
NIST SP800-39 
ISO/IEC 27005 
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Risk Management Requirements 


Policy 

Planning and resourcing 
Implementation program 
Management review 

Risk management process 


Risk management documentation 


Criteria for Risk Management 


% Basic parameters: 
e Acceptable risk 
Control objectives 
Scope 


Basic assumptions of internal and external 
environment (see next slides) 


Overall objectives 
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Defining the External Environment 


4 Environment in which the organisation 
operates 


Local market - competition, financial, 
political 


Law and regulatory environment 
Social and cultural conditions 


External stakeholders 


Key business drivers 


SWOT - organisation’s strengths, weaknesses, 
opportunities, threats 


Internal stakeholders 
Organisation structure and culture 


Assets in terms of resources (people, systems, 
processes, capital) 


Goals and objectives and the strategies 
already in place 
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Determining Risk Management Context 


Balance between cost and benefits 

Scope of risk management activities 

Range of processes or activities to be assessed 
Full scope of risk management activities 

Roles and responsibilities of participants 


Organisational culture in terms of risk- 
averseness or -aggressiveness 


Criteria to be Considered 


ut 


Impact 
Likelihood 


The rules that will determine whether the 
risk level is such that further treatment 
activities are required 

Gap analysis 


e Gap between existing controls and control 
objectives 
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Risk Assessment and Analysis Methodologies 


Step 1: Prepare for Assessment 
Derived from Organizational Risk Frame 


Step 2: Conduct Assessment 
Expanded Task View 


Identify Threat Sources and Events 


Identify Vulnerabilities and 
Predisposing Conditions 


Vv 


Determine Likelihood of Occurrence 


Determine Magnitude of Impact 


ý 


Determine Risk 


Step 3: Communicate Results 
Step 4: Maintain Assessment 


Courtesy of NIST - used with permission 


© 2016 Firebrand 


Information Asset Identification and Valuation 


% Relative value to the business 
e Criticality and/or sensitivity 
Replacement value 
Cost to restore or rebuild 
Loss of revenue 
Regulatory sanctions / contractual defaults 
Reputational damage 


Intrinsic value 
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Information Assets that must be Protected 


Proprietary information and processes 


Financial records and future projections 


Acquisition or merger plans 


Strategic marketing plans 
Trade secrets 
Patent-related information 


Personally Identifiable Information (PII) 


Information Asset Valuation Methods 


Quantitative 

Historical 

Management directives 
Environmental factors 
Business goals 


Net present value (NPV) 
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Risk Assessment and Management Approaches 


% Specific approaches will not be tested in the 
exam 


e A CISM should be able to determine the 
most suitable approach or combination of 
approaches for their organisaiton 


Aggregated and Cascading Risk 


% Aggregated risk - minor vulnerabilities that in 
combination (aggregate) could have 
significant impact. 


Cascading risk - a chain reaction where one 
event may cause a cascade of failures across 
other systems 
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Other Risk Assessment Models 


%& FAIR 

% COBIT 5 for Risk 

% Simulations models 

% Probabilistic Risk Assessment 
e What can go wrong 
e How likely is it 


e What are the consequences 


Identification of Risk 


% Type and nature of threats are determined 


e Difficult to identify all viable threats 
% Vulnerabilities are examined 


% May be done through a knowledgeable group 
effort 


e Requires awareness 


% Result should be a documented list of 
threats, vulnerabilities and consequences 
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Risk Identification Methodology 


Team-based exercises 
Structured techniques - flowcharting 
What-if and scenario analysis 


Threats identified internally and externally 
mapped to specific vulnerabilities 


Top-down - business goals 


Bottom-up - systems and generic risk 


Threats 


Physical 

Natural events 

Loss of essential services 
Disturbance due to radiation 
Compromise of information 
Technical failures 


Unauthorised actions 


CoE @ & t G@ Me & 


Compromise of functions 
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Threats 


Accidental 
Intentional 
Natural 
Circumstantial 
Internal 


External 


Threat Identification Sources 
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Assessments 

Audits 

BCP 

Finance 
Government/media 
Insurance companies 
Vendors 

Security companies 
Users 
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Internal Threats 


4% Employees 
e Unhappy 
e Loss of key staff 


e Pressure to perform 


e Excessive access rights 


% Contractors or ex-employees 


External Threats 


Criminal activity 


Data corruption 
Disease (epidemic) 
Espionage 

Facility flaws 
(freezing pipes) 
Fire 

Flood 

Theft 
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Hardware flaws 
Industrial accidents 
Lost assets 
Mechanical failures 
Power surges 
Sabotage 

Storms 

Supply chain 
Software errors 
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Advanced Persistent Threat (APT) 


% An adversary that posses the sophisticated 
levels of expertise and significant resources 
which allow it to create opportunities to 
achieve its objectives 


APT Attack Lifecycle 


% Attack lifecycle: 
Initial compromise 
Establish foothold 
Escalate privileges 
Internal reconnaissance 
Move laterally 
Maintain presence 
Complete mission 
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Emerging Threats 


% Indications of emerging threats: 
e Unusual activity 
Repeated alarms 
Slow system response 
Slow network performance 


New or excessive activity in logs 


Emerging Threats - New Technologies 


% Built for function without security 
e BYOD (bring your own device/disaster) 


% Needs risk assessment, policies and 
procedures to integrate new technologies 
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Vulnerabilities 


%& Weakness 

% Excellent sources of vulnerabilities exists 
e Scanners 

% Prioritisation of vulnerabilities 


e Based on likelihood or potential degree of 
compromise 


Risk, Likelihood and Impact 


% Threat X Vulnerability = Risk 
% Factors that affect likelihood: 

Volatility 

Velocity 

Proximity 

Interdependency 

Motivation 

Skill 

Visibility 
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Essential Concept 


4% The cost of protection should be proportional 
to the value of the asset and should not 
exceed the value of the asset being protected 


% There is often a point of diminishing returns 
where the cost of protection increases faster 
then the increase in benefits derived 


Risk Register 


The risk register is created during the process 
of identifying risk 


It is a central repository for all information- 
specific risks 


Central reference point to understand 
current risk profile of the organisation and 
review status of risk mitigation efforts 
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Analysis of Risk 


% Analysis of risk considers all the risk factors 
identified including the presence of existing 
or planned controls 


% Risk should be measured in a consistent 
manner across the organisation 


Qualitative Analysis 


% Magnitude and likelihood of potential 
consequences are described in detail using 
scales 


e May be used: 
eAs an initial assessment to identify risk 


eWhere nontangible aspects of risk are 
considered 


eWhere there is a lack of adequate 
information and numerical data 
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Semi-quantitative Analysis 


% Assign values to the scales used in qualitative 
analysis 


4 The values are not precise - indicators only 


% May lead to inconsistencies 


Quantitative Analysis 


Numerical values are assigned to likelihood 
and impact 


Depends on the accuracy of the assigned 
values and validity of the statistical models 
used 


Consequences may be expressed in terms of: 
Monetary 
Technical 
Operational 
Human impact 
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Annual Loss Expectancy 


Single Loss Expectancy (SLE) - Asset value 
(AV) * Exposure Factor (EF) 


Exposure factors is the combination of 
probability and magnitude of harm 


Annual Rate of Occurrence (ARO) = number of 
times an event may happen per year 


Annual Loss Expectancy (ALE) - ARO* SLE 


ALE is the expected annual loss from an event 


Other Risk Analysis Approaches 


% Value at Risk (VAR) - statistical probabilities 


% Operational Critical Threat Asset and 
Vulnerability Evaluation ® (OCTAVE®) 


e Three phases: 
eBuild asset-based threat profiles 
eldentify infrastructure vulnerabilities 
eDevelop a security strategy 
% Bayesian Analysis 
%& Bow Tie Analysis 
% Delphi Method 
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Evaluation of Risk 


% Decisions have to be made concerning risk 
treatment and the priorities for treatment 


e Based on the previous analysis 


% Risk that exceeds acceptable limits should be 
addressed 


% Risk transfer is typically used for risk of high 
impact but low probability 


Risk Ranking 


% Risk ranking is used to direct the risk 
response effort 


% Risk is ranked according to the evaluated 
level of risk 
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Risk Ownership and Accountability 


% Risk requires ownership and accountability 
% Risk is owned by a manager or senior official 
e Should be someone with budgetary authority 


The risk owner is accountable for accepting 
risk and approving controls 


There should be a direct link between risk 
and the associated control 


The risk owner is also responsible for ensuring 
the monitoring of controls 


Za 
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Risk Treatment (Response) Options 


Avoid 
Transfer 
Mitigate 
Accept 


Risk ignorance is not an acceptable option 
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Residual Risk 


The risk prior to mitigation is known as 
inherent risk 


The risk that remains after the 
implementation of countermeasures is 
residual risk 


Risk tolerance is the acceptable deviation 
from acceptable risk 


Calculated on either indirect or direct loss 


May be done either quantitatively or 
qualitatively 


Determined using Business Impact Analysis 
(BIA) 
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Controls 


% Mitigate or reduce risk: 
e Technology 
Process 
Practice 
Policy 
Standard 
e Procedure 


% May be managerial, administrative, technical 
or legal 


% Layering of controls 


Ensure multiple controls do not have a single 
point of failure 


Upstream controls may reduce the need for 
further controls 


Avoid control duplication or redundancy 
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Other Considerations for Risk Response 


% Legal and Regulatory requirements 


e Is the organisation subject to regulatory 
requirements 


e Is it compliant 
e What is the risk of non-compliance 
% Cost and benefit 


e May affect risk tolerance and acceptance 
decision 


Baseline Security 


% Minimum security levels mandated across the 
organisation 


%# Represents the collective ability of controls 
to protect the organisation 
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Security Incidents and Baselines 


% Any security incident can be attributed to 
either a control failure or a lack of control 


e Significant failures require a risk assessment 
to determine the root cause of the failure 


The results of this assessment may require 
changes to the security baseline 


Vendor changes or environmental factors may 
also require changes to the security baseline 


Information Asset Classification 


% Identify: 
All information assets 


The location of all information assets - 
which systems are they on, where can they 
be accessed 


The ownership of the information assets 
Set classification and handling procedures 


Include the protection of information 
throughout the information lifecycle 
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Criticality and Sensitivity of Assets 


Determined through BIA or other 
methodologies 


Understand dependencies between systems - 
how would one system failure affect other 
systems/departments 


Impact is usually measured according to loss 
of availability (criticality) or loss of 
confidentiality or integrity (sensitivity) 


Recovery Time Objectives 


Amount of time required to recover to an 
acceptable level of normal operations 


Acceptable level of operations is defined as 
the Service Delivery Objective (SDO) 


RTO may fluctuate depending on time of the 
year or time of the month 


Determined by business and information 
owners 
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RTO and Relationship to BCP 


% The RTO is used to identify and develop 
contingency strategies to meet the RTO 


4 Based on qualitative and quantitative 
measurements 


Based on acceptable data loss in case of a 
disruption to operations 


Indicates most recent point in time to which 
it is acceptable to recover the data - 
generally the latest backup 


Length of time required to recover data may 
also affect ability to meet the RTO 
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Service Delivery Objectives (SDO) 


4% Minimal level of service that must be restored 
after an event to meet business requirements 
until normal operations can be resumed 


Maximum Tolerable Outage (MTO) 


4 The maximum time an organisation can 
operate in alternate (or recovery) mode 


% Allowable Interruption Window (AIW) 


e Amount of time the normal operations can 
be down before the organisation faces major 
financial difficulties 
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Third Party Service Providers 


Ensure the supporting organisation has 
suitable controls to protect data 


Contracts specify security and information 
protection 


Risk assessment is performed 


Proper processes are followed at the end of 
the relationship 

Managing outsourcing contracts can increase 
risk 

Manage regulatory requirements 


Outsourcing Challenges 


ut 


ut 


Although the organisation can outsource 
information risk management to a third 
party, it generally cannot outsource 
responsibility. 


Audit of the third party may not be possible 
e SLAs 
e SOC2 


Include outsourcing firm in BCP/DRPs 
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Third Party Risk Considerations 


Right to source code (source code escrow) 


Vendor obligation to remain timely with 
compliance to industry and regulatory 
standards 


Right to audit or review vendor processes 


Insistence on Standard Operating procedures 
(SOPs) 


Right to assess skill sets of vendor resources 


Risk Management Integration with Life 
Cycle Processes 


Integrate risk management into the life cycle 
Change management processes 


Protection over remote access to Building 
Management Systems and SCADA devices 


Ensure physical security 


Integrate risk management into systems 
development life cycles (SDLC) 
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Due Care 


Development of controls and baselines based 
on good practices and standards 


Tailor standards and good practices to 
provide an appropriate level of risk to the 
organisation 


Standards provide the basis for measurement 
and testing for evaluation of whether security 
baselines are being met by existing standards 


Risk Monitoring and Communication 


% Continuously monitoring, evaluating, 
assessing and reporting risk 


% Documented and reported to senior 
management 


e Visual aids and graphs - not details 


e Dashboards 
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Key Risk Indicators (KRIs) 


Measures that indicate when an enterprise is 
subject to risk above a defined risk level 


Based on trends 


Early warnings of possible issues or areas that 
pose particular risk 


KRIs should be highly relevant and posses a 
high probability of predicting a change in risk 
e Impact 
e Effort to implement, measure and report 
e Reliability 


Responsibility of the information security 
manager to report to appropriate 
management 


Report on status of, and changes in, risk 


Report on security breaches or events 
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Training and Awareness 


Appropriate training can have a significant 
positive effect on managing risk 


The important of adhering to policies and 
procedures 


Responding to emergency situations and 
reporting incidents 


Privacy and confidentiality requirements 


Recognising social engineering 


Documentation Associated with Risk 


Risk Management policies and procedures 
Business Impact Analysis (BIA) 

Risk register 

Threat and vulnerability assessment 
Initial risk rating 

Vulnerability to external/internal factors 
Inventory of all assets and their location 
Risk mitigation plan 

Monitoring and audit 
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4% End of Chapter Two 
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CISM™ 


Certified Information 
Security Manager 


Firebrand Custom Designed Courseware 


Chapter 3 
Information Security Program 
Development and Management 


À 
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Course Flow 


Chapter One ced Chapter Two 

Information by Information 
Security Risk 

Governance Management 


Directs Directs 


changes development 
to of 


Chapter Four Chapter Three 
Information Develop and 
Security Manage a 
Incident Enforced by Security 

Management Program 


Objective 


%& Develop and maintain an information security 
program that identifies, manages and 
protects the organisation’s assets while 
aligning to information security strategy and 
business goals, thereby supporting an 
effective security posture 


This domain represents 27 percent of the 
examination (approximately 41 questions) 
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Learning Objectives 


4% Have the knowledge necessary to: 


e Understand the broad requirements and 
activities needed to create, manage, and 
maintain an information security strategy 
Define and utilise the resources required to 
achieve the IT goals consistent with 
organisational objectives 
Understand the people, processes and 
technology necessary to execute the 
information security strategy 


Information Security Program 
Management Overview 


% The program executes the strategy and 
achieve organisational objectives 
%# The roadmap is based on the strategy 
e Step-by-step detailed plans to achieve these 
goals 
e Each plan is a specific project or initiative 
% Plans also seek to manage, maintain and 
improve the cost-effectiveness of the 
program 
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Information Security Program 


% Many diverse security activities 


4% Exists solely to support the business 
objectives of the organisation 


e Enabling business activities 


e Managing risk and disruption to acceptable 
levels 


Resource Management 


The program requires Internal and external 
resources 


Security manager must identify optimal 
resource utilisation 


Develop security processes: 
e Asset classification 

e Escalation 

e Notification 

e Monitoring 
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Security Program Elements 


Administrative controls (standards) 
Security awareness 

Risk Management 

Third party management 

Effective metrics and monitoring 
Reporting 


Overview 


% Primary program activities: 
e Design 
e Development 
e Integration 
Of enterprise-wide controls 


% Ongoing administration and management of 
controls 
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Management Challenge 


Many security managers have a technical 
background 


The business wants to understand why 
controls are needed and how they benefit the 
organisation 


What risk does the security program mitigate 


Managers must explain security in business 
terms and understand the business 


Essential Elements 


Three elements are essential to ensure successful 
security program design, implementation and ongoing 
management: 


1.The program must be the execution of a well- 
developed information security strategy closely aligned 
with and supporting organisational objectives. 


2.The program must be well designed with cooperation 
and support from management and stakeholders. 


3.Effective metrics must be developed for program 

design and implementation phases as well as the 
subsequent ongoing security program management 

phases to provide the feedback necessary to guide 

program execution to achieve the defined outcomes. i. 
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Defined Objectives 


4% The security manager must develop defined 
objectives for the security program 


e And gain consensus from management and 
other stakeholders 


The security program may consist of many 
projects over a period of time 


Define the projects in business terms 


Ensure initiatives provide value and are 
justifiable 


Information Systems 


%& Must be: 

Designed 

Engineered 
Built 

Deployed 

Modified 

Managed 

Maintained 

Until they are removed from service 
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Security Program Management 


Transform strategy into reality 
Meets security objectives 


Flexible to accommodate changes in security 
requirements 


Uses tools, expertise and techniques 
Seeks to: 

e Integrate projects 

e Decrease cost of maintenance 


e Provide consistent level of security across 
the organisation 


Outcomes of Security Program 
Management 


Strategic alignment 

Risk management 

Value delivery 

Resource management 
Performance measurement 
Assurance process integration 
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Strategic Alignment 


% Align security goals with the goals of the 
business 


e Requires regular interaction with business 
owners 


% Consensus on: 
e Organisational risk 
e Selection of appropriate control objectives 
e Gaining agreement on acceptable risk 


e Definitions of financial, operational and 
other constraints 


Future Business Direction 


% Strategic Alignment must consider: 
e Future business directions 


e Consider security solutions that are a good 
fit for current and future business initiatives 
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Risk Management 


% Managing risk to information assets is a 
primary responsibility of the information 
security manager 


Risk changes and a continuous process of risk 
management must be maintained during 
information security program development 


Value Delivery 


Information security must deliver the 
required level of security effectively and 
efficiently 


Good planning and project management skills 
are required 


Strive to develop a culture of continuous 
improvement 
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Resource Management 


% Developing and managing a security program 
requires: 


e People 

e Technology 

e Processes 

% Use resources efficiently and effectively: 

e Human 

e Financial 

e Technical 

e Knowledge 


Performance Measurement 


% Identify important monitoring and metrics 
requirements 


%* Measure progress 
% Design security controls with measureable 
control points 


e Enable auditors to attest that the security 
program is in place and effectively managed 
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Metrics 


% Strategic, tactical and operational levels 
t+ Metrics should be: 

e Defined 

e Agreed-on by management 

e Aligned with strategic objectives 


4% Metrics may be grouped to provide a more 
holistic overview 


Assurance Process Integration 


Integrate assurance activities with 
information security activities 


Increase information assurance and 
predictability of business operations 


Acceptable risk may be defined in terms of 
reliability, integrity, performance levels, 
confidentiality, acceptable downtimes, 
financial impacts 
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Information Security Program Objectives 


Turn high-level strategy into logical and 
physical reality through a series of projects 
and initiatives 

Modify the program as changes in business or 
new solutions become available 

Gain consensus and cooperation from various 
stakeholders to minimise implementation and 
operational problems 


Information Security Program Concepts 


% Implementation will require project 
management skills such as: 


e Resource utilisation 

e Budgeting 

e Setting and meeting timelines 
Milestones 
Quality assurance 
User acceptance testing (UAT) 
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Technology Resources 


4% The information security manager must be 
qualified to make decisions with respect to 
technology 


Understand where a given technology fits into 
the basic prevention, detection, 
containment, reaction and recovery 
framework 


Scope and Charter 


% Information security manager must determine 
the scope, responsibilities and charter of the 
department 


% Lack of defined responsibilities will make it 
difficult to determine what to manage or how 
the security function is meeting objectives 
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Chain of Command 


4 Where should security fit into the 
organisation? 
e Avoid conflicts of interest 


e Security is primarily an internal regulatory 
function - and should not report to the 
entities that it is supposed to regulate 

% Understand current state of the security 
function in the organisation 


e Review audits, incidents and other reports 


Established through the development of a 
strategy in combination with risk 
management 


Management support and risk management 
determine the charter 


% Security will impact the organisation’s 
established way of doing things 


e Integrate security into existing processes 
e Will result in some resistance to security 
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Information Security Management 
Framework 


4% Conceptual representation of the security 
management structure 


4% Defines the components of the structure: 
e Technical 
e Operational 
e Managerial 
e Administrative 
Educational 


Technical Components 


Configuration 
Monitoring 
Maintenance 
Operation 


All technical components must have an 
identified owner for responsibility and 
accountability 
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Operational Components 


% Ongoing management and administrative 
activities to provide required levels of 
security assurance 


e Standard Operating Procedures 
e Business operations security practices 


e Maintenance and administration of technical 
components 


% Log maintenance 
% Issue escalation 
4% Management oversight 


Managerial Components 


Implementation of standards and policies 
Oversight of programs 


Periodic analysis of assets, threats and 
vulnerabilities 


Communication with business and operational 
units 


Ensure consistency with strategic direction 
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Administrative Components 


Budgeting 

Timeline planning 

Total cost of ownership 
Return on Investment (ROI) 
Acquisition/purchasing 
Inventory management 
Human Resources 
e Staffing and resources 


Educational and Informational 
Components 


Integrate education and awareness into 
employee orientation 


Communicate policies and procedures 


May use role-playing or online testing for 
effective training 


Measure training effectiveness 
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Defining the Program Road Map 


Gain stakeholder buy-in 
Draft basic security policy 
Promote awareness and compliance reviews 
Effect change according to gap analysis 
Build consensus around: 

e Roles and responsibilities 

e Processes 

e Procedures 


Elements of a Road Map 


% Construct specific projects to achieve 
strategic directives 


e Timelines 

e Budgets 

e Personnel 

e Tactical project management aspects 


4% Integrate projects according to strategy, risk 
and prioritisation 


% Design controls and develop projects to 
implement, deploy and test the controls 
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Developing a Security Program Road Map 


% Thoroughly review existing security levels 
e Data 
e Applications 
e Systems 
e Facilities 
e Processes 


% Develop KGls, KPIs and CSFs (Critical Success 
Factors) 


Security Infrastructure and Architecture 


% Infrastructure is the underlying base or 
foundation on which information systems are 
deployed 

e Computing platforms 
e Networks 
e Middleware 


% Security and infrastructure cannot be 
separated - the infrastructure needs to be 
secure 
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Enterprise Security Architecture 


% Objectives: 


Overarching structure, coherence and 
cohesiveness 


Strategic alignment and traceability 


A level of abstraction independent of 
technologies - not technology driven 


Common language 


Allow individual contributors to work 
together 


Architectural Approaches 


Zachman 
TOGAF 
SABSA 
COBIT 


Most approaches are top-down from the 
vision to the implementation, from concepts 
to technological components 
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Enterprise Architecture Domains 


% Four subsets of enterprise architecture 
e Business (business process) architecture 
e Data architecture 
e Application architecture 
e Technology architecture 


Objectives of Security Architecture 


% Provide a framework to manage complexity 
successfully 
e Teamwork under a single design authority 
e Seamless integration between many business 
processes and support functions 
% Simplicity and Clarity through layering and 
modularisation 
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Information Systems Architecture 


% Must take into account: 
e The goals that are to be achieved 


e The environment in which the systems will 
be built and tested 


e The technical capabilities of the people to 
construct and operate the systems 


Business Focus Beyond Technical Domain 


% Information systems architecture is 
concerned with much more than technical 
factors 


e What the enterprise wants to achieve 


e Environmental factors that will influence 
those achievements 


% Technology is rarely specified in the 


architecture - leaving some flexibility in 
technology choices 
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Architecture Implementation 


% Creation of high level policy to address 
architecture may be appropriate in major 
areas 


% Architecture policy domains: 
e Database management systems 
e Telecommunications 
e Web application access 


Security Program Management and 
Administrative Activities 


% Security program management includes: 
e Directing 
e Overseeing 
e Monitoring related to information security in 
support of organisational objectives 
% Management is the process of achieving the 
objectives by bringing together: 
e Human 
e Physical 
e Financial resources in an optimal 
combination 


© Firebrand Training Ltd 


24 


Security Program Management 


Short- and long-term planning 
Day-to-day operations 

Directing various projects and initiatives 
Risk management 

Incident management 


Response functions - In a changing 
environment 


A security program must be tailored to the 
organisation 


Program Administration 


% A series of repetitive functions 


% Address the areas of administrative 
management of the security function as per 
the lists on page 239 
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Personnel, Roles, Skills and Culture 


%& Ensure personnel maintain appropriate skills 


e Rarely needed skills may be acquired 
through service providers or consultants 


e Background checks for personnel may be 
required 


A role is assigned to an individual based on 
job function 


Responsibility is a description or function that 
a person is accountable to perform 


The creation of roles may reduce 
administrative overhead 


RACI models may be used in the development 
of a security program 
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Skills 


Training, expertise and experience held by 
personnel in a given job function 


Map skills and proficiencies to job 
requirements 


Train staff for specialised skills or use 
external experts 


Have formal employment agreements 


Screen all applicants for positions requiring 
access to sensitive information 


Culture 


% Culture represents organisational behaviour 


% How things are done - in a formal or informal 
manner 


e Attitudes 

e Norms 

e Levels of teamwork 
e Turf issues 
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Culture (continued) 


% Culture is impacted by: 
e Individual backgrounds 
Work ethics 
Values 
Past experiences 
Individual filters/blind spots 
e Perceptions 
%& Work towards a positive security culture 
e Relationships and interpersonal skills 


Security-aware Culture 


Each individual should perform their duties in 
a way that protects information assets 


Each person knows how information security 
relates to their role 


Meet individual and business needs 
e What’s in it for me 
e Why should I care 
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Security Awareness Training and 
Education 


% Security is more than just a technical issue 


e It must be addressed through education and 
awareness 


Focus on common user concerns tailored to 
specific groups 

Educate employees in how to detect and 
escalate threats 


Give greater emphasis on staff with 
privileged access levels 


wareness 


Starts when an employee or contractor joins 
the organisation (induction training) 


Vary the delivery techniques to keep it 
interesting 


Quizzes 
Online 
Newsletters 
Posters 
Screen savers 
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Preparing an Awareness Program 


Who is the intended audience? 
What is the intended message? 
What communication method will be used? 


What is the organisational structure and 
culture? 


General Rules of Use 


% A user-friendly summary of what users should 
and should not do to comply with policy 


% Assist users with understanding security- 
related responsibilities 


Policy 

Handling classified data 
Access control 
Reporting requirements 
Disclosure constraints 
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Ethics 


4 What is legal and appropriate 


% Especially applies to staff with sensitive 
duties 


e Penetration testing 
e Monitoring users 
e Access to sensitive data 
% Beware of conflicts of interest 
% Have, and communicate a code of ethics 


Documentation 


% Create and maintain appropriate security 
documentation 


e Policies, operational reports, risk 
assessments, etc. 


e Maintain documentation 
«Ownership and approval for changes 
eVersion control 
% Control access to documentation 
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Program Development and Project 
Management 


Information security programs are rarely 
static and must undergo ongoing development 
to meet changing conditions and risk 


Prioritise the portfolio of projects 
Prevent overlap 
Prevent one project from delaying another 
project 
Ensure resources are properly allocated 
Track deadlines and goals 


Risk Management 


% Ensure the organisation can respond 
effectively to security incidents that disrupt 
business operations 

% Knowledge of programme- and project- 
related risk 
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Business Case Development 


% The business case makes it evident: 


e That there is a significant return on 
proposed investment, 


e The project is feasible and practical, and 
e Impact on productivity is acceptable 


Program Budgeting 


Effective preparation and defense of a 
budget can affect having sufficient staff and 
resources to complete the project and meet 
project goals 


Align budget with strategy 
% Budget expenses: 
e Salaries 
e Software and hardware acquisition 
e Operational costs 
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Information Security 
Problem Management Practices 
4% Problem management is focused on 
discovering the root cause of issues. 
% Systematic approach 
e Defining the problem 
e Designing an action program 
e Assigning responsibility 
e Assigning due dates for resolution 


4% Sometimes problem management requires 
using a temporary workaround 


Vendor Management 


% The security manager must provide oversight 
and monitoring for external providers: 


e Hardware 

e Software 

e General supplies 
e Services 


% Assurance that risk associated with 
acquisition, implementation and service 
delivery is managed appropriately 
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Security Services 


% Can provide objective, fresh perspectives on 
the security program 


e Can free up internal resources 
% Risk associated with vendors: 

e Financial viability 

e Quality of service 

e Adequate staffing 


e Adherence to organisational policies and 
regulations 


Assess current state of security program 


Periodically reevaluate effectiveness of the 
program 


Share results with steering committee or 
other stakeholders 


Determine scope for conducting the 
assessment 
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Areas of Evaluation 


Are program objectives being met? 

Are compliance requirements being met? 
Are programs being managed effectively? 
Are security operations being managed? 
Are technical standards being met? 


Are there sufficient resources available - with 
the required level of training and expertise? 


Plan-Do-Check-Act 


% The PDCA model was used in an earlier 
version of ISO/IEC27001. It provides a focus 
on continuous quality improvement 


e Total Quality Management 
% Requires strategy, vision and metrics 
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Legal and Regulatory Requirements 


4% The security program must demonstrate 
compliance with laws and regulations 


e Privacy 
e Financial reporting 
e Human resources law 


Physical and Environmental Factors 


% Backups and availability of backups 
% Access control 
e Need-to-know basis 
% Location of data centre and data processing 
facilities 
% Humidity and power controls 
% Protection of end-user devices 
e Theft, malware infection, 
e Disk encryption 
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Cultural Differences 


% Be aware of differences in perceptions, 
customs and appropriate behaviour across 
different regions and cultures 


e This can affect security policy and 
procedures 


% Work with legal and human resources to 
ensure all policies are appropriate 


Logistics 


% Interact effectively with other business units 
Strategic planning 
Project management 
Committees 
Scheduling of routine procedures 
Resource prioritisation 
Coordination of security with large projects 
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Security Program Services and 
Operational Activities 


% The information security manager has to 
liaison with several other departments of the 
organisation including: 

e Physical/corporate security - inadequate 
physical security would undermines 
information security 

e IT Audit - providing assurance of policy 
compliance 


Security Program Services and 
Operational Activities (continued) 


% Liaison with: 

e Information Technology - the hands-on 
operators of information systems and 
networks 
eResponsible for operation and configuration 
of most security technologies 

e Business Unit Managers - ensure business 
managers know how to identify and escalate 
security incidents 
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Security Program Services and 
Operational Activities (continued) 


% Liaison with: 


e Human Resources - Employee background 
checks and education 


elnvolvement in any employee monitoring 


e Legal - address compliance, liability, 
corporate responsibility and due diligence 


e Employees - the first line of defense for a 
security program 


eMust be trained - and follow policy and 
procedures 


Security Program Services and 
Operational Activities (continued) 


% Liaison with: 


Procurement - approved equipment that 
meets standards 


Compliance - ensure legal compliance 


Privacy - avoid sanctions and adhere to 
privacy laws 


Training - ensure security awareness 
programs are provided 


Quality Assurance - testing of security 
controls 
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Security Program Services and 
Operational Activities (continued) 


%& Liaison with: 
e Insurance - serves as a compensating control 


e Third-party management - outsourced 
functions and services 


eRisk associated with external services 


e Project Management Office - awareness of 
projects 


eEnsure security team can review projects 
during development 


Cross-Organisational Responsibilities 


% Separation of duties (SoD) is an important 
element of a security program 
e Compensating controls should be in place 
where there is insufficient SoD 
% Coordinated activities across departments 
and management tiers through 
communications and relationship building 
Each department must understand the 
requirement to support and implement the 
security program 


© Firebrand Training Ltd 


41 


Integration of Security into Business Units 


% Each manager must understand that they 
serve as the policy compliance officer for 
their area of responsibility and must provide 
adequate oversight 


The security manager is the point of 
escalation for security events detected 
through monitoring and the primary contact 
for incidents that may require investigation 


Security Reviews and Audits 


% Consistent approach to assessing and 
evaluating the security program 


e Provides trend information over time 
e Serves as a metric for improvement 
% Security reviews (like an audit) consist of: 
e An objective 
A scope 
Constraints 
An approach 
A result 
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Review Objectives 


% A review objective states what is to be 
determined by the review - e.g., whether a 
firewall is configured correctly 


Scope refers to the mapping of the objective 
to the aspect to be reviewed - e.g., the 
external-facing application firewall used to 
protect web site applications 


Constraint is a condition that could affect the 
quality and objectivity of the review e.g., 
lack of management support and access to 
documentation 


Security Reviews (continued) 


Approach is the activities used to meet the 
review objectives e.g., review of firewall 
configuration and change management logs. 


Result is the assessment of whether the 
review objective was met 


During a review, the security manager must 
gather data related to compliance and detect 
any weaknesses in the system or processes 
being reviewed 
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Audits 


% Audits are designed to: 
e Identify 
e Evaluate 
e Test 
e Assess the effectiveness of controls 


% Effectiveness is based on whether controls 
meet the control objectives 


Audits 


% Audit documentation (work papers) includes: 
e Mapping of controls to control objectives 
e State how the control was tested 
e Links test results to the final assessment 


% Audit may be based on internal or external 
standards and policies (ISO/IEC 27001) 
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Auditors 


Audits provide an essential assurance process 
Audit findings can influence top management 
to take action on security issues 

Audits may be either internal or external 
Some audits are compulsory - mandated by 
laws, others are based on management’s 
areas of concern 

The security manager should ensure time and 
resources are provided to support audit 


Security is often provided through a mix of 
legacy and new equipment 


The implementation of security is largely 
dependent on tools (technology) 


The role of security varies from actual 
operation of security equipment to one of 
providing consulting on security tools 
Security is provided through layers of defense 
and multiple technical tools at various points 
within the organisation 
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Due Diligence 


The “standard of due care” 

Steps that should be taken by a reasonable 
person of similar competency in similar 
circumstances 

For security this means following the good 
practices that should be expected of a 
reasonable organisation 

Periodic third-party reviews (ISO/IEC 27001 
audits) may provide assurance of due care 


Managing and Controlling Access to 
Information Resources 


% Meet regulatory requirements 
% Follow widely-accepted standards 
% Have skilled and competent staff 
% Meet regulatory requirements 
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Compliance Monitoring and 
Enforcement 


During program development, audit hooks 


and logs must be built in to support 
compliance monitoring and reporting 


Develop enforcement procedures (tests) to 
ensure compliance with policy and standards 


4% Policies establish accountability for the 
actions of users 


e Should cover all situations where 
information is handled 


e Must have a policy exception process 


Standards Compliance 


% Standards ensure that all systems of the same 
type within the same security domain are 
configured correctly and operated in the 
same way 


% Standards enforce compliance with policy 
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Resolution on Non-compliance Issues 


4% Have a defined process 


4% Base the process on the risk associated with 
non-compliance 


e Set priorities for resolution 
% Non-compliance issues may be detected: 
Audit reports 
Normal monitoring 
Security reviews 
Vulnerability scans 
Due diligence work 


Compliance Enforcement 


Audits are a snapshot of compliance at a 
point in time 

Compliance enforcement is an ongoing 
process 

The information security program also needs 
to comply with pertinent standards and 
regulations 

Enforcement may require input from security, 
senior management and the steering 
committee 
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Risk and Security 


% Risk management is used to justify security 
controls 


4% Threat and vulnerability assessments and 
impact levels should be conducted on a 
regular basis to ensure the security program 
is addressing the correct issues at the correct 
level of priority 


% Outsourcing is often based on economics 
Acquire expertise at reasonable cost 


Adequacy of the vendor’s controls should be 
evaluated 


Independent audit or on-site visit 


Legal constraints may affect the ability to 
outsource 
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Outsourcing Contracts 


% Contracts: 
e Ensure the parties are aware of their 
responsibilities 
e Provide the means to address disagreements 


Should address confidentiality and non- 
disclosure 


Stipulate the implementation of appropriate 
controls 


Address the right-to-audit 
Address remediation or incident handling 


Contracts (continued) 


Should have an indemnity clause - 
compensation for damages 

Specify jurisdiction of the courts in the event 
of a dispute 
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Third-party Access 


% Access only granted based on risk and 
compliance 


e Specify in a Service level agreement (SLA) 
e Log all access and review on a regular basis 


Cloud Computing 


% A model for enabling on-demand network 
access to a shared pool of configurable 
computing resources (e.g., networks, servers, 
storage, applications, and services) that can 
be rapidly provisioned and released with 
minimal management effort or service 
provider interaction 


% NIST Cloud Definition NIST SP800-145 
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Essential Characteristics of the Cloud 


ON-demand self service 
Broad network access 
Resource pooling 
Elasticity 

Measured service 


Cloud Service Models 


Software as a Service (SaaS) 
Infrastructure as a Service (laaS) 
Platform as a Service (PaaS) 

Disaster as a Service 

Identity as a Service 

Data Storage and Analytics as a Service 
(everything as a service!) 
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Cloud Deployment Models 


% Private Cloud 
% Public Cloud 
% Community Cloud 
% Hybrid Cloud 


Cloud Advantages 


Faster development and deployment 
Optimised resource utilisation 

Cost savings 

Better responsiveness 

Faster cycle of innovation 

Resilience 
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Security Considerations 


Cloud provider security may be better than 
the security of organisation’s with an 
immature security program 


Risk of loss of control over data 
Location of data may be restricted by law 
Incident handling may be more challenging 


Selecting a Cloud Service Provider 


% Cost 

% Data center provider 

4 Backbone transport 

% Internet service provider (ISP) 
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Integration with IT Processes 


% Security must integrate with other 
organisational processes: 


e BCP 
e Incident response 
e Risk management 
% Avoid gaps and overlaps 
e Bi-directional communications 


Include security and risk into the SDLC 


Consider the security implications of change 
to systems and applications 


Follow a change management and 
configuration management process 


During release management ensure standards 
and procedures are followed 


e Prevent products being deployed 
prematurely 
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Controls and Countermeasures 


% Include both general controls and 
application- or system-specific controls 


e General controls span multiple departments 
and systems 


% Most security failures can ultimately be 
attributed to failures of management, and 
management problems typically do not 
have technical solutions 


Control Categories 


Preventive - inhibit violations 
Detective - warn of violations 
Corrective - remediate impact 


Compensating - reduce the risk of an existing 
or potential control weakness 


Deterrent - provide warnings 


© Firebrand Training Ltd 


56 


Control Objectives 


Control objectives are determined by 
management’s defined acceptable risk levels 
The primary control effectiveness metric is 
the extent to which the control meets the 
objectives 

% Control objectives are met through physical, 
administrative and technical controls 

e Best controls are based on cost/benefit and 
many other factors (see page 292) 


Control Principles 


cs) 
cs) 
cs) 
w 
w 
w 
w 
%4 


Access (logical) control 

Secure failure 

Principle of Least privilege 
Compartmentalise to minimise damage 
Segregation of Duties (SoD) 
Transparency 

Trust 

Trust no one 
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Control Strength 


% Measured through testing 


e Measured in terms of the control’s inherent 
or design strength and the likelihood of its 
effectiveness 


% Automated controls are generally preferable 
to a manual control 


Countermeasures 


% Address a specific threat 
e More effective to counter that threat 
e Less efficient and often a narrow scope 


e May provide incremental enhancements to 
existing controls 
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Physical and Environmental Controls 


4% The foundations to an effective information 
security program is a strong physical barrier 
protecting the physical infrastructure (media) 
on which the information resides 


% Physical security controls are general controls 
e Facility security - badges, fences, locks 
e Access control 
e Removable media controls 
e Backup power 


Control Technology Categories 


% Technology controls 
e Native - out of the box security in products 
e Supplemental - additional controls (IDS) 


e Support - Specialised controls - federated 
identity management, Single Sign on 
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Management Support Technologies 


% Automate a security-related procedure 
4% Provide management information 

e Security Information Management (SIM) tools 
% Can frequently be automated 


Technical Control Components and 
Architecture 


Analysis of Controls - ensures that controls 
are aligned with risk management and 
strategy 


Suitable metrics 
Control placement 
Control effectiveness 
Control efficiency 
Control policy 
Control Implementation 


© Firebrand Training Ltd 


60 


Control Testing and Modification 


% Changes to the technical or operational 
environment can affect the protective effect 
of controls or create new weaknesses 


4 For changes to controls use change control 
procedures and have stakeholder approval 


e Train staff in new procedures 


e Walkthrough after implementation to ensure 
the controls are working correctly and to 
resolve and user issues 


Baseline Controls 


% Baselines are mandatory requirements for all 
new systems development. 


% Baselines may include: 
e Authentication functionality 
e Logging 
e Role-based access control 
e Data transmission confidentiality 
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Trade-offs 


% There is almost never a ‘perfect’ solution 


4 Controls need to be implemented with 
consideration of: 


e Cost 
e Impact on the business 
e Security requirements 


% This may require trade-offs to tailor the 
control solution for the organisation 


Control Testing 


% Test: 
e Control effectiveness and performance 
e Integration with other controls 


e Adequate administrative and reporting 
functionality 
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Implementation Testing 


Resolve flaws or weaknesses found during 
testing 

If issues cannot be resolved prior to 
implementation management must decide 
whether to accept the risk 


e Develop timetable to resolve issues 


% Code reviews may detect unexpected 
vulnerabilities (may not be found using 
automated testing tools) 


Secruity Program Metrics and 
Monitoring 


% Key controls that cannot be monitored pose 
an unacceptable risk to the organisation 


% Test both technical and non-technical 
(processes) of the security program 


e Technical metrics cannot answer the 
question of how secure the organisation is 


% Systems engineering requires the ability to 
measure and quantify 
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Metrics Development 


% Meaningful metrics 
e What information is required, and by whom 


% Strategic metrics - compilation of other 
metrics - direction of the security program 
4% Management metrics - manage the security 
program (compliance and incident 
management) 
Operational metrics - technical and 
procedural metrics 


Monitoring Approaches 


Develop a consistent, reliable method to 
determine overall security program 
effectiveness 


Metrics are of little value if no action is taken 
to resolve issues 

Continuous monitoring of security activities is 
a prudent business practice (and regulatory 
requirement) 
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Determine Success of Information 
Security Investments 


% Total cost of ownership (TCO) for controls: 
Cost to administer controls 
Training costs 
Maintenance costs 
Monitoring costs 
Update fees 
Consultant or helpdesk fees 


Fees associated with updated related 
systems 


Measuring Information Security 
Management Performance 


% Assess success and shortcomings of the 

information security management program 
Achieve acceptable levels of risk 
Support achievement of overall 
organisational objectives and compliance 
Maximise the program’s operational 
productivity 
Maximise security cost-effectiveness 
Maintain awareness 
Facilitate enterprise architecture 
Measure operational performance 
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Other Areas to Measure 


Measure information security risk and loss 
Measure support of organisational objectives 
Measure compliance 

Measuring operational productivity 
Measuring security cost-effectiveness 
Measuring organisational awareness 


Measuring effectiveness of technical security 
architecture 


Measuring effectiveness of management 
framework and resources 


Measuring operational performance 
Monitoring and communication 


© Firebrand Training Ltd 


Common Information Security Program 
Challenges 


Organisational resistance 

Perception of impact on job functions 
Overreliance on subjective metrics 
Failure of strategy 


Assumptions of compliance without 
confirmation 


Ineffective project management 


Previously undetected, broken or buggy 
software 


Improving Security 


Start from where the organisation is 
Educate 

Gain agreement and consensus 
Align with business objectives 
Develop meaningful metrics 

Gain management support 

Justify funding 

Develop and train staff 


% UG te te ue te me 
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End of Chapter Three 
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CISM™ 


Certified Information 
Security Manager 


Firebrand Custom Designed Courseware 


Chapter 4 
Information Security Incident 
Management 
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Exam Relevance 


% The essential knowledge necessary to 
establish an effective program to respond to 
and subsequently manage incidents that 
threaten an organisation’s information 
systems and infrastructure 


%& This domain represents 19% of the CISM 
examination (approximately 28 questions) 


Learning Objectives 


% Identify, analyse manage and respond effectively to 
unexpected events that may adversely affect the 
organisation’s information assets and/or its ability to 
operate 


Identify the components of an incident response plan 


Evaluate the effectiveness of an incident response 
plan 


Understand the relationship among incident response 
plan, a disaster recovery plan and business continuity 
plan 


© Firebrand Training Ltd 


Introduction 


% Incident management is defined as the 
capability to effectively manage unexpected 
operationally disruptive events 

e Minimise impacts 
e Maintain or restore normal operations within 
defined time limits 


Incident Response 


% Operational capability of incident 
management 


e Identifies 


e Prepares for 
e Responds to incidents 
% Provides forensics and investigative 
capabilities 
% Meets timelines for recovery according to 
Service Level Agreements (SLAs) 
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Introduction 


% In most organisations, incident response for 
information and information systems is the 
responsibility of the information security 
manager 


e Requires technical expertise 
e Information security competence 


%& Develop and test the incident response plans 
and ensure correlation with business 
continuity and disaster recovery plans 


Introduction (continued) 


% The organisation must define criteria of what 
is an incident and what is the categorisation 
of the incident (based on severity level) 
based on impact across the organisation. 


Categorisation of the incident triggers the 
appropriate response to the incident 
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Incident Response Planning 


Have a formal (approved) incident response 
plan 


Ensure senior management support 


Distribute the IRP and maintain the plans 
despite organisational changes 


Outline the goals for a consistent and 
systematic approach to addressing and 
remediating incidents in a timely manner 


Timeliness 


% Timely identification of an incident affects 
the overall effectiveness of incident response 
e However timeliness must be combined with 
the accuracy of the identification 
e False positives decrease security alertness 
and adds additional costs and resource load 


e Late identification and incident response 
may result in the expansion of the incident 
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Incident Response and Documentation 


The information security manager must 
ensure incidents are properly investigated 
and documented. 


Documented plans ensures each participant 
knows their role in the incident 

Incident documentation assists in forensics or 
post-incident examination and follow-up 
Ensure all incidents are handled in a legal 
manner in compliance with laws and policies 


Incident Response Teams 


% Having trained teams to handle incidents may 
minimise the impact of an incident. 


e Untrained teams may make an incident 
worse 


%& Revise the IRP as business objectives and 
processes change 


e Contact lists need to be kept up-to-date 
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External Entities 


%& Depending on the situation external parties 
may be required as a part of incident 
response 


e Public relations 
e Forensic auditors 
e Legal counsel 


% Determine point of contact and contracted 
agreements 


Root Cause Analysis 


% The information security manager should 
always look for the root cause of an incident 


e Ensure the true underlying problem is 
identified and scheduled for remediation 
% Have a formal post-incident review process 
% There are many types of incidents, therefore 
many types of incident response plans, as 
well as business continuity and disaster 
recovery plans 
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Incident Response Overview 


% Incident response is the emergency 
operations component of risk management 


% Incidents may be the result of: 
e Theft 
e Accidents 
e Attacks 
e Losses 


% Or any other unexpected adverse event that 
occurs as a result of the failure, or lack, of 
controls 


% IR requirements depend on: 
Mission, business goals and objectives 
The type of industry/organisation 
The services provided 


The relationship with customers and other 
stakeholders 


Financial depth and costs 


Resources required for response (Computer 
Security Incident Response Team (CSIRT)) 
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Incident Management 


% Involved all the actions taken prior to, during 
and after an information security incident 
occurs 


% The goals of incident management include: 
Minimising impact 
Informing management 
Maintain or restore continuity of services 
Provide defense against subsequent attacks 


Provide deterrence through technology, 
investigation and prosecution 


Incidents 


% Technical 


e Network, virus, DoS (denial of Service), 
System intrusion 


Mistakes/ Accidents 

Process failure 

Theft of equipment or data 
Social engineering 

Natural disasters 
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Priorities for Incident Response 


% Based on: 
e Risk Management 
e Business Impact Analysis (BIA) 


IRP BCP DRP 


% Incident response, business continuity and 
disaster recovery are interrelated 
complementary disciplines - but they are not 
the same 


Incident response is the first responder to an 
event and should try to prevent the incident 
from becoming a problem, and a problem 
from becoming a disaster 
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Incident Management Life Cycle Phases 


Planning and preparation 

Detection, triage and investigation 
Containment, analysis, tracking and recovery 
Post-incident assessment 

Incident closure 


Incidents 


% By definition are unexpected and confusing 


% The ability to detect, assess, determine the 
cause, and quickly arrive at a solution may 
make the difference between an 
inconvenience and a disaster 


Declaration of a disaster is an important part 
of incident response 
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Planning and Preparation 


% Incident response requires: 
e Rigorous planning 
e Commitment of resources 
e Stakeholder consensus 
% Support can be gained though: 
e Examination of previous incidents 


e Business case development 


e Response planning can lower security and 
insurance costs 


Critical Parts of Incident Response 


%& Determination of severity criteria 
e Consistent, concise 
% Declaration criteria for a disaster 


e Authority 


e Response level, activate teams, declare the 
disaster, mobilise the recovery process 


% Training of personnel to: 
e Recognise incidents 
e Respond - notify, escalate, report correctly 
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Incident Response Procedures 


4% No amount of preparation will avoid all 

incidents 
e But it will allow the organisation to respond 
effectively when incidents happen 

% The role of the information security manager 
may include, or may differ greatly, from the 
disciplines of business continuity and disaster 
recovery 


Importance of Incident Management 


%& The importance of incident management is 
increasing due to: 


Increased occurrences and losses from 
incidents 


Software vulnerabilities affecting larger 
parts of the organisation 


Security controls failing to prevent incidents 
Legal mandates 

Sophistication of attackers (APTs) 

Zero day attacks 
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Outcomes of Incident Management 


Effective handling of incidents 
Detection and monitoring capabilities 
Incident classification criteria 
Trained personnel 


Alignment of incident response with business 
strategies 


Proactively managing risk 


Monitoring metrics to evaluate maturity of 
the incident management process 


Monitoring and Metrics Benefits 


% Adequate protection of information assets 

4% Trained response teams 

% Effective IRPs 

% Rapid identification and response to incidents 

e Recovery within acceptable interruption 
window (AIW) 

Communications with stakeholders and 
external parties 
Lessons learned and improvements 
Assurance for internal and external 
stakeholders 
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Incident Response Concepts 


Based on CMU-SEI (Software Engineering 
Institute) 


Incident handling - handling events - 
detection and reporting; triage; Analysis; 
Incident response 

Effective Incident Management - incidents 
are detected, recorded and managed to limit 
impacts and track the event 


e Incident management provides structure to 
investigate, diagnose, resolve and close 
incidents 


Incident Response Concepts (continued) 


% Incident Response - planning, coordination 
and execution of appropriate mitigation, 
containment and recovery strategies and 
actions 
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Incident Management Systems 


Incident management systems automate 
many manual tasks to identify possible 
incidents and alert the incident management 
team (IMT) 
May combine input from multiple sources 
(IDS, IPS, server logs, etc.) 
Security Information and Event Management 
(SIEM) tools do data collation, analysis and 
reporting 
e Will track ongoing incidents 


Automated System Efficiencies 


% Operating costs - it may not be possible to do 
sufficient data analysis using manual methods 


e Manual training costs are higher and more 
narrow than training for automated systems 


%& Recovery costs - Automated systems are able 
to detect and escalate incidents significantly 
faster than a manual process 


e May provide better incident containment 
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Incident Management Organisation 


% Incident management is the first responder 
for incidents 


e Is nominally a part of risk management - IRP 
addresses the risk that risk management was 
not able to avoid 


e IRP is the operational and reactive element 
of risk management 


% The information security manager must 
understand the incident management 
activities including meeting with internal and 
external parties 


Emergency Management 


% Activities immediately after an incident: 
e Safety of personnel - evacuation plans 
e Command Centre 
e Communications 
e Restoration of services 
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Responsibilities 


4% The information security manager 
responsibilities in IRP include: 

Developing incident management plans 
Handling response activities 
Verifying countermeasure solutions 
Planning, budgeting and program 
development for incident management and 
response 


% Internal and external resources: 
IT 
Audit 
HR 
Legal 
Physical security 
Risk management 
Insurance 
PR 
Sales 
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IRP Policies 


4 The IRP must be supported through: 
e Policies 
e Standards 
e Procedures 

% Aligned with IMT mission 


e Set correct expectations for service and 
recovery 


e Provide operational guidance 
e Clearly understood roles and responsibilities 


Incident Response Technology Concepts 


% IRTs must be familiar with: 

e Security Principles 

e Security vulnerabilities and weaknesses 

e The Internet 
e Network protocols 
e Network applications and services 
Operating systems 
Malicious code (malware, virus, APT) 
Programming skills 
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Personnel 


% An IMT usually consists of: 
e Steering committee 
e Information security manager 
Advisory board 
Permanent or dedicated team members 
Virtual or temporary team members 


IRT Response Team Organisation 


% Different organisational models 


e Central IRT - handle all incidents for the 
organisation (usually small organisation) 

e Distributed IRT - different teams responsible 
for different areas or geographic regions 

e Coordinating IRT - central team provide 
guidance to distributed teams 


e Outsourced IRT - Services provided by a 
third party 
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Composition of Incident Response Staff 


+ Membership in the IR team is affected by: 
Type of organisation 
Nature of services offered 
Available staff expertise 
Size of constituency and technology base 
Anticipated incident load 
Severity of incidents reported 
Funding 


Skills 


% Successful IR team members skills include: 
Personnel skills - effective communicators 
Leadership 
Ability to follow policy and procedures 
Team skills 
Integrity 
Self-understanding - recognise limitations 
Coping with stress 
Problem solving 
Time management 

4% Technical skills 
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Awareness and Education 


% A lack of awareness is the cause of many 
incidents and security breaches 


4% Have ongoing awareness campaign 
4% Train IRT response team staff 


Audits 


Verify compliance with policies, standards 
and procedures 


Review incident response plans and logs 


Validate that legal requirements are met and 
that the timelines are realistic 
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Outsourced Security Providers 


% Outsourcing incident management may be a 
cost-effective solution for smaller 
organisations 


4 Could use the same provider as outsourced IT 
operations or security operations 


Considerations for Outsourced Response 


% Matching the organisation’s incident 
reference numbers with the vendor’s 
reference number for each incident 
Integration of the organisation’s change 
management process with that of the vendor 


Requirement for periodic review of incidents 
that occur on a regular basis 
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Incident Management Objectives 


%# Key success factors to meet objectives 
include: 


e Strategic alignment 

e Risk management 

e Assurance process integration 
Value delivery 
Resource Management 


Incident Management Metrics and 
Indicators 


% Measure effectiveness and efficiency of 
incident response 


e KPls - quantifiable 

e KRIs - risk threshold indicators 

e KGls - may be qualitative or quantitative 
% Performance measurement 

e Optimising cost-effectiveness 

e Meeting Recovery Time Objectives (RTOs) 
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Defining Incident Management 
Procedures 


4 Good practices may be based on SANS or CMU 
SEI 
% Detailed plan of action for incident 
management 
Prepare/improve/sustain 
Protect infrastructure 
Detect events - proactive and reactive 
Triage events - process of sorting, 
categorising correlating, prioritising, 
assigning 
Respond - resolve/mitigate 


Current State of Incident Response 


% Determine current state 
e Survey of senior management 
e Self-assessment 
e External assessment or audit 
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History of Incidents 


% Past incident provide valuable information 
on: 


e Trends 
e Types of events 
e Business impact 


4% Used as input for the assessment of types and 
severity of incidents that must be prepared 


Risk Management 


%& Document the risk factors that apply to the 
organisation: 


e Threats 
e Vulnerabilities 
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Elements of an Incident Response Plan 


Preparation - establish approach 


Identification - verify if an incident has 
happened 


Containment - limit the exposure and 
communicate with business owners 


Eradication - root cause 
Recovery - SDO (service delivery objectives) 


Lessons learned - what could have been done 
better 


Gap Analysis 


4% Gap between current incident response 
capabilities and desired level 


e Processes that need to be improved to be 
more efficient and effective 


e Resources needed to achieve the objectives 
for incident response capability 


% Gap analysis used for planning purposes 


e Address highest priorities and best cost 
benefit 
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Business Impact Analysis 


% Consider the potential impact of each type of 
incident should it occur 
e Systematic activity assesses impact of loss 
of critical information resource (systems, 
network device, application, personnel, 
and/or data) 


% Must: 


e Determine loss to the organisation from a 
function being unavailable 

e Establish the escalation of that loss over 
time 

e Identify the minimum resources needed for 
recovery 


e Prioritise the recovery of processes and 
supporting systems 
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BIA Goals 


Create a report that helps stakeholders 
understand what impact an incident could 
have on the business 


Criticality prioritisation 
Downtime estimation - MTD, MTO, AIW 


Resource requirements - document resources 
needed to support critical services 


BIA Assessment Activities 


Gathering assessment material 


Analysing the information compiled 
Documenting the result and presenting 
recommendations 


BIA is based on understanding the mission and 
functions of the business 


It will document all business processes and 
their priority 
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Benefits of Conducting a BIA 


% Understanding of amount of potential loss 
e Undesirable effects of an outage 
e Types of incidents 
Prioritise restoration activities 


Understanding dependencies between 
functions 


Raising the level of awareness for response 
management 


Escalation Process for Effective Incident 
Management 


% Develop escalation process 
e Who has authority over various recovery 
actions or disaster declaration 


% The list of actions to be undertaken should be 
documented in the sequence in which they 
are to be performed 


4% Completion of events should be tracked and 
recorded. 


e Non-completion should be escalated as 
appropriate 
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Communication 


4 Communication about the incident may be 
required for: 


Senior management 
Response and recovery teams 
HR 

Insurance companies 

Backup facilities 

Vendors 

Customers 


Help/Service Desk Processes for 
Identifying Security Incidents 


% Helpdesk should know how to identify an 
incident from a normal occurrence 


e Often the helpdesk will be the first to 
become aware of an incident 


e Prompt recognition and escalation is 
required 
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Incident Management and Response Teams 


% Some of the teams used in incident response 
include: 


Emergency action team - evacuation 


Damage assessment team - assess extent of 
damage - determine what may be salvaged 


Emergency management team- coordinating 
activities of other teams 


Relocation team - coordinate process to 
move to alternate location 


Security team (CSIRT) - monitoring security 


Key Decisions to be Made in Planning 


w 
%4 
w 
w 
cs) 
cs) 
w 
cs) 
%4 


Goals and requirements for each phase 
KGls and KPIs 

Reporting criteria 

Critical success factors and critical path 
Alternate facilities 

Critical information resources to deploy 
Decision authority and persons responsible 
Available resources 

Scheduling of activities 
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Organising, Training and Equipping the 
Response Staff 
% Training for IMT staff includes: 

e Induction to the IMT 

e Mentoring team members 

e On-the-job training 

e Formal training 


Incident Notification Process 


% Timely and relevant information 
e Accurate 
4% Communicating with other entities 
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Challenges in Developing an Incident 
Management Plan 
Lack of management buy-in and 
organisational consensus 


Mismatch to organisational goals and 
structure 


IMT member turnover 
Lack of communication process 
Complex and broad plan 


Business Continuity and Disaster 
Recovery Procedures 


BCP goals include incident prevention and 
mitigation the DRP is focused on what must 
be done to restore operations after an 
incident has already taken place 

DRP is often seen as a subset of BCP 

DRP is traditionally defined as recovery of IT 
systems after a major failure 


© Firebrand Training Ltd 


34 


BCP and DRP Planning 


% Typical planning phases include: 
Conducting a risk assessment and BIA 
Defining a response and recovery strategy 
Documenting response and recovery plans 
Training on response procedures 
Updating plans 
Testing plans 
Auditing plans 


Recovery Operations 


%# Recovery mode - running at the alternate site 

% Restoration of primary site - when safe to 
return 

e In some cases the organisation will never 
return to the original primary site 

% Define processes for both recovery and 
restoration 

% Information resources must still be protected 
during the chaos of the crisis 
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Recovery Strategies 


Balance of time to recover versus cost to 
recover 


Some functions may be outsourced 


Detailed plans are written once the recovery 
strategy has been approved by management 


Addressing Threats 


% Possible strategies to address threats: 


e Eliminate or neutralise the threat - usually 
unrealistic 

e Minimise the likelihood of the threat’s 
occurrence - reduce vulnerabilities 

e Minimise the impact of a threat if an 
incident occurs - redundant systems, 
insurance 
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Recovery Sites 


Hot sites 

Warm sites 

Cold sites 

Mobile sites 

Duplicate sites 

Mirror sites 

Reciprocal agreements 


Basis for Recovery Site Selection 


ce) 
%4 
w 
w 
w 
4 
w 
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AIW 

RTO 

RPO 

SDO 

MTO 

Proximity factors 

Location 

Nature of possible disruption 
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Response and Recovery Strategy 
Implementation 
% Detailed response and recovery plans are 
developed 
e Pre-incident readiness 


e Identification of business processes to be 
restored 


e Steps to be followed 
e Resources 


Integrating Incident Response with 
Business Continuit 


% Agreement on process for transition from IRP 
to BCP 


% Agreement on: 
e Timelines, RTO, MTO, MTD, RPO, SDO 
e Risk tolerance 
e BIA 
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Notification and Supplies 


4 Have communications plan for stakeholders 
%# Ensure needed supplies are available 
e Hardware 
e Software 
Facilities 
Networks 
Communications 


Communications Network 


% Plan must contain details of networks and 
communications requirements to support 
business operations 


Telephone 

Wide Area Networks 

LANs 

Landlines 

Wireless 

UPS systems for network equipment 
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Methods for providing Continuity of 
Network Services 


Redundancy 

Alternate routing 

Diverse routing 

Long-haul network diversity 
Last-mile circuit protection 


High Availability Considerations 


% Server and data recovery 
e Direct attached storage 
e Network attached storage 
e Storage area network 
e RAID 
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Insurance 


% Ensure adequate insurance coverage 
e Cyber insurance 
e General coverage 
e IT-related insurance 
e Business interruption insurance 


Updating Recovery Plans 


% Response and recovery plans need to change 
as the organisation changes 


Changes in priorities 
New applications 


Changes in software or hardware 
environments 


Changes in physical and environmental 
conditions 


%& Periodic review 
%& Version control 


© 2017 Firebrand 


© Firebrand Training Ltd 


41 


Testing Incident Response and Business 
Continuity/Disaster Recovery Plans 


% Test all aspects of the IRP 
e Identify gaps 
Verify assumptions 
Test timelines 
Determine effectiveness of strategies 
Evaluate performance of personnel 
Determine accuracy and currency of plans 


Testing 


Provides collaboration and coordination 
between team members and plans 


Avoid affecting the business while testing 
Document the test 


Ensure security is not compromised during 
the test 
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Periodic Testing of the Response and 
Recovery Plans 


Develop test objectives 
Execute the test 
Evaluate the test 


Develop recommendations to improve the 
plans and the testing process 


Implement follow-up procedures 


An untested plan poses an unacceptable level 
of risk for the organisation 


Types of Tests 


Checklist review 
Structured walkthrough 
Simulation test 

Parallel test 

Full interruption test 
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Testing Categories 


4% Paper test 
4 Preparedness tests 
% Full operational tests 


Test Results 


Verify completeness of the plan 
Evaluate performance of personnel 
Appraise level of training and awareness 
Evaluate coordination amongst team 
members 

Measure the ability of the backup site to 
perform prescribed processing 

Assess vital records retrieval 

Evaluate state of equipment 

Measure overall performance 
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Executing Response and Recovery Plans 


Test under realistic conditions 
The more severe the incident the more chaos 


All reasonably anticipated events must be 
anticipated and prepared for 


Planning must be thorough, realistic and 
tested 


Post-incident Activities and 
Investigation 


% Lessons learned 
% Calculate total cost of the incident 
4 Improved response capability 
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Identifying Causes and Corrective 
Action 


% Review the incident - review team 
e Internal source of incident 
e External source of incident 
e Lack of controls 
e Patches not applied 
% Answer the 6 W’s - who, what, where, when, 
how, why 


Document Events 


% Have a clear record of events 
% Allow for investigation, analysis and forensics 
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Establish Procedures 


The plans should be action-oriented - step- 
by-step activities 


Address logistics - movement of people, 
equipment, data 

Follow good forensic procedures in case of 
legal challenges 


Requirements for Evidence 


% Contamination of evidence may prevent 
prosecution or limit its options: 


e Could inhibit attempts to discover the 
perpetrator 


e Prevent determining how the event occurred 


% First step for a compromised computer is 
often to disconnect power 


e Not possible with the Cloud or many servers! 
e Prevent erasure or overwriting of files 
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Requirements for Evidence (continued) 


4% Train personnel that will be involved in the 
investigation 


% Using forensic tools create a bit level image 
of the source drive or other media 


e Use write-protect diode 
% Protect the original media 
e Evidence custodian 


Legal Aspects of Forensic Evidence 


% Use forensically sound practices 


e Established and documented procedures for 
evidence gathering and investigation 


e Trained personnel 
% Chain of custody 


e Unbroken documented record of all 
activities associated with the evidence 
throughout the evidence lifecycle 
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Procedures for Investigations 


%& Procedures should be: 
e Legal 
e Approved by HR and legal counsel 
e Followed rigorously 
e Documented 
e Checklists 


% Investigations should be fair, unbiased and 
well documented 


% Follow local laws 


% End of Chapter Four 
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